This month’s Patch Tuesday, Microsoft addresses a vulnerability that exists in the Windows Kerberos implementation for AppContainers. With a CVS v3 score of 9.4/8.2 this is a critical update that should be remediated with the highest priority.
Isolation is the primary goal of an AppContainer execution environment. By isolating an application from unneeded resources and other applications, opportunities for malicious manipulation are minimized. Granting access based upon least-privilege prevents applications and users from accessing resources beyond their rights. Controlling access to resources protects the process, the device, and the network.
Managing identity and credentials, the AppContainer prevents the use of user credentials to gain access to resources or login to other environments. The AppContainer environment creates an identifier that uses the combined identities of the user and the application, so credentials are unique to each user/application pairing and the application cannot impersonate the user.
About Service Principal Names
A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows an application to request that the service authenticate an account even if the client does not have the account name.
Before the Kerberos authentication service can use an SPN to authenticate a service, the SPN must be registered on the account object that the service instance uses to log on. A given SPN can be registered on only one account.
About this vulnerability
A vulnerability in Windows Kerberos allows an attacker to bypass Kerberos-based authentication and potentially authenticate to an arbitrary service principal name (SPN), allowing a connection without a password. This could allow an attacker to potentially bypass authentication to access any service that is accessible through one or more SPNs.
The vulnerability was responsibly disclosed by James Forshaw of Google Project Zero and is therefore not yet being exploited in the wild.
COMMON VULNERABILITY SCORING
With a CVSS score of 9.4/8.2, the vulnerability has the potential to be both directly impactful and is also exceptionally simple to exploit.
Affected Operating Systems
All supported Windows versions and Windows Server versions are affected, as far back as Windows Server 2008 and Windows 8.1. Both Full installations and Server Core installations of Windows Server are affected.
Call to action
Microsoft strongly recommends you to install the (cumulative) June 2021 update for the Operating Systems in your networking environment.
As the cumulative updates for recent versions of Windows and Windows Server also contain the quality improvements as released as part of the Preview update of May 20th, 2021, roll-out updates in test environments and/or rings to detect problems quickly.